Login
Critical Microsoft Office Zero-Day Flaw Exposes Sensitive Data
Bite-Sized Cybersecurity Blog
Blog
August 23, 2024
Critical Microsoft Office Zero-Day Flaw Exposes Sensitive Data

Microsoft has just disclosed a zero-day vulnerability in its Office suite, identified as CVE-2024-38200, which currently remains unpatched. If exploited, this vulnerability could allow unauthorized access to sensitive information. Classified as a spoofing flaw, it carries a high CVSS severity score of 7.5. The affected versions include Microsoft Office 2016, Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, and Microsoft Office 2019. This vulnerability was discovered and reported by security researchers Jim Rush and Metin Yunus Kandemir.

In a web-based attack scenario, the exploit could be carried out by hosting a specially crafted file on a website or using a compromised site that hosts user-provided content. The attack would require the user to be tricked into clicking a link sent via email or instant messaging, leading to the opening of the malicious file. This suggests that, despite the severity of the vulnerability, its successful exploitation heavily relies on social engineering tactics, making it somewhat less likely to be executed without user interaction.

Microsoft has acknowledged the issue and announced that a formal patch for CVE-2024-38200 will be included in the upcoming Patch Tuesday updates scheduled for August 13. In the meantime, an alternative fix has been implemented through a process known as Feature Flighting, enabled on July 30, 2024. While this interim fix provides some protection, users are advised to apply the final patch as soon as it becomes available for optimal security.

To mitigate the risks associated with this vulnerability, Microsoft has outlined three specific strategies. First, configuring the “Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers” policy setting can help manage outgoing NTLM traffic, which is particularly vulnerable to certain types of attacks. Second, adding users to the Protected Users Security Group will prevent NTLM from being used as an authentication mechanism, thereby reducing the risk of exploitation. Finally, blocking TCP 445/SMB outbound traffic at the network perimeter, through local firewalls or VPN settings, will prevent NTLM authentication messages from being sent to remote file shares.

In addition to addressing CVE-2024-38200, Microsoft is also working on fixing two other zero-day vulnerabilities, CVE-2024-38202 and CVE-2024-21302. These bugs could potentially be used to “unpatch” up-to-date Windows systems, effectively reintroducing older vulnerabilities. This highlights a critical challenge in cybersecurity—patched systems can still be at risk if attackers find ways to bypass or undo security updates. Moreover, a recent report by Elastic Security Labs revealed that attackers have been using a technique called LNK stomping for over six years to run malicious applications without triggering Windows security warnings.

Related Posts

Bite-Sized Offensive Cybersecurity Newsletter

We value your time and deliver only the most interesting and impactful updates straight to your inbox. No spam. Unsubscribe anytime.

Join over 10,000 people who have already subscribed.

Newsletter